Overview
This chapter provides information about the Cisco Virtual Security Gateway (Cisco VSG) and the Cisco Virtual Network Management Center (Cisco VNMC). It also provides information about HA (High Availability).
This chapter includes the following sections:
•Information About Installing the Cisco Virtual Network Management Center and the Cisco Virtual Security Gateway
•Information About Cisco Virtual Security Gateway
•Information About the Cisco Virtual Network Management Center
•Information About High Availability
Information About Installing the Cisco Virtual Network Management Center and the Cisco Virtual Security Gateway
The Cisco Virtual Network Management Center (Cisco VNMC) and the Cisco Virtual Security Gateway (Cisco VSG) must be installed in a particular sequence in order to have a functioning virtual system. Part 1, the Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center provides that critical sequence information that you need for a successful installation.
Information About Cisco Virtual Security Gateway
The Cisco Virtual Security Gateway (VSG) for the Cisco Nexus 1000V Series switch is a virtual firewall appliance that provides trusted access to virtual data center and cloud environments with dynamic policy-driven operation, mobility-transparent enforcement, and scale-out deployment for dense multi-tenancy. By associating one or more virtual machines (VMs) into distinct trust zones, the Cisco VSG ensures that access to trust zones is controlled and monitored through established security policies. Figure 1-1 shows the trusted zone-based access control that is used in per-tenant enforcement with the Cisco VSG.
Figure 1-1 Trusted Zone-Based Access Control Using Per-Tenant Enforcement with the Cisco VSG
VNMC and VSG Architecture
The Cisco VSG operates with the Cisco Nexus 1000V distributed virtual switch in the VMware vSphere Hypervisor, and the Cisco VSG leverages the virtual network service data path (vPath) that is embedded in the Nexus 1000V virtual ethernet module (VEM) (see Figure 1-2). vPath steers traffic, whether external-to-VM or VM-to-VM, to the Cisco VSG of a tenant. A split-processing model is applied where initial packet processing occurs in the Cisco VSG for policy evaluation and enforcement. After the policy decision is made, the Cisco VSG off-loads policy enforcement of the remaining packets to vPath.
vPath supports the following features:
•Tenant-aware flow classification and subsequent redirection to a designated Cisco VSG tenant
•Per-tenant policy enforcement of flows offloaded by Cisco VSG to vPath
The Cisco VSG and Cisco Nexus 1000V VEM provide the following benefits (see Figure 1-3):
•Each Cisco VSG can protect across multiple physical servers, which eliminates the need for you to deploy one virtual appliance per physical server.
•By offloading the fast-path to one or more Cisco Nexus 1000V VEM vPath modules, the Cisco VSG enhances performance through distributed vPath-based enforcement.
•You can insert the Cisco VSG in one-arm mode without creating multiple switches or temporarily migrating VMs to different switches or servers. Zone scaling is based on security profiles not on vNICs that are limited for virtual appliances, which simplifies physical server upgrades without compromising security or incurring application outages.
•For each tenant, you can deploy the Cisco VSG in an active-standby mode to ensure that vPath redirects packets to the standby Cisco VSG when the primary Cisco VSG is unavailable.
•You can place the Cisco VSG on a dedicated server so that the security operations team can allocate the maximum compute capacity to application workloads. This feature enables capacity planning to occur independently across server and security teams, and operational segregation across security, network, and server teams.
Figure 1-2 Cisco Virtual Security Gateway Deployment Topology
Trusted Multitenant Access
You can transparently insert a Cisco VSG into the VMware vSphere environment where the Cisco Nexus 1000V is deployed. One or more instances of the Cisco VSG is deployed on a per-tenant basis, which allows a highly scale-out deployment across many tenants. Tenants are isolated from each other, so no traffic can cross tenant boundaries. Depending on the use case, you can deploy a Cisco VSG at the tenant level, at the virtual data center (vDC) level, as well as at the vApp level.
As VMs are instantiated for a given tenant, their association to security profiles and hence zone membership occurs immediately through binding with the Nexus 1000V port profile. Each VM is hence placed upon instantiation into a logical trust zone (see Figure 1-2). Security profiles contain context-aware rule sets that specify access policies for traffic that enters and exits each zone. In addition to VM and network contexts, security administrators can also leverage custom attributes that define zones directly through security profiles. Controls are applied to zone-to-zone traffic as well as to external-to-zone (and zone-to-external) traffic. Zone-based enforcement can occur within a VLAN because a VLAN often identifies a tenant boundary. The Cisco VSG evaluates access control rules and then off-loads enforcement to the Nexus 1000V VEM vPath module for performance optimization. Upon enforcement, action can be taken to permit or deny access and optional access logs can be generated. Cisco VSG also provides policy-based traffic monitoring capability with access logs.
Dynamic (Virtualization-Aware) Operation
A virtualization environment is dynamic, where frequent additions, deletions, and changes occur across tenants and especially across VMs. Live migration of VMs can occur due to manual or programmatic vMotion events. Figure 1-3 shows how a structured environment of Figure 1-2 can change over time due to this dynamic VM environment.
Figure 1-3 Cisco VSG Security in a Dynamic VM Environment, Including VM Live Migration
The Cisco VSG operating with the Cisco Nexus 1000V (and vPath) supports a dynamic VM environment. Typically, when you create a tenant with the Cisco VSG (standalone or active-standby pair) on the Cisco Virtual Network Management Center (Cisco VNMC), associated security profiles are defined that include trust zone definitions and access control rules. Each security profile is bound to a Cisco Nexus 1000V port profile (authored on the Cisco Nexus 1000V Virtual Supervisor Module (VSM) and published to the VMware Virtual Center (vCenter)). When a new VM is instantiated, the server administrator assigns appropriate port profiles to the virtual Ethernet port of the VM. Because the port profile uniquely refers to a security profile and VM zone membership, security controls are immediately applied. A VM can be repurposed by assigning a different port profile or security profile.
As vMotion events are triggered, VMs move across physical servers. Since the Cisco Nexus 1000V ensures that port profile policies follow the VMs, associated security profiles also follow these moving VMs, and security enforcement and monitoring remain transparent to vMotion events.
Setting Up Cisco VSG and VLAN Usages
The Cisco VSG is set up in an overlay fashion so that VMs can reach a Cisco VSG irrespective of its location. The vPath component in the Cisco Nexus 1000V VEM intercepts the packets from the VM and sends them to the Cisco VSG for further processing.
Figure 1-4 shows Cisco VSGs in a typical arrangement. In the figure, the Cisco VSG has connectivity to three different VLANs (service VLAN, management VLAN, and HA VLAN). A Cisco VSG is configured with three vNICS (data vNIC (1), management vNIC (2), and HA vNIC (3)) with each of the vNICs connected to one of the VLANs through a port-profile. The VLAN functions are as follows:
•The service VLAN provides communications between the Cisco Nexus 1000V VEM and Cisco VSGs. All the Cisco VSG data interfaces are part of the service VLAN and the VEM uses this VLAN for its interaction with Cisco VSGs.
•The management VLAN connects the management platforms such as the VMware vCenter, the Cisco Virtual Network Management Center, and the Cisco Nexus 1000V VSM and the managed Cisco VSGs. The Cisco VSG management vNIC is part of the management VLAN.
•The HA VLAN provides the heart-beat mechanism and identifies the active and standby relationship betweenthe VSGs. The Cisco VSG vNICs are part of the HA VLAN.
You can allocate one or more VM data VLAN(s) for VM-to-VM communications. In a typical multitenant environment, the management VLAN is shared among all the tenants, and the service VLAN, HA VLAN, and the VM data VLAN are allocated on a per-tenant basis. However, when VLAN resources become scarce, you might decide to use a single VLAN for service and HA functions.
Figure 1-4 Cisco Virtual Security Gateway VLAN Usages
Information About the Cisco Virtual Network Management Center
Cisco VNMC is a virtual appliance, based on Red Hat Enterprise Linux (RHEL), that provides centralized device and security policy management of the Cisco Virtual Security Gateway (VSG) for the Cisco Nexus 1000V Series switch. Designed for multitenant operation, Cisco VNMC provides seamless, scalable, and automation-centric management for virtual data center and cloud environments. With a web-based GUI, CLI, and XML APIs, Cisco VNMC enables you to manage Cisco VSGs that are deployed throughout the data center from a centralized location.
Multitenancy is when a single instance of the software runs on a Software-as-a-Service (SaaS) server, serving multiple client organizations or tenants. In contrast, multi-instance architecture has separate software instances set up for different client organizations. With a multitenant architecture, a software application can virtually partition data and configurations so that each tenant works with a customized virtual application instance.
The Cisco VNMC is built on an information model-driven architecture, where each managed device is represented by its subcomponents.
This section includes the following topics:
•Cisco VNMC Components
•System Requirements
Cisco VNMC Components
This section includes the following topics:
•Cisco VNMC Key Benefits
•Cisco VNMC Architecture
•Cisco VNMC Security
•Cisco VNMC API
•Cisco VNMC and VSM
Figure 1-5 shows the Cisco VNMC components.
Figure 1-5 Cisco VNMC Components
Cisco VNMC Key Benefits
The Cisco VNMC provides the following key benefits:
•Rapid and scalable deployment with dynamic, template-driven policy management based on security profiles.
•Seamless operational management through XML APIs that enable integration with third-party management tools.
•Nondisruptive administration model that enables greater collaboration across security and server administrators, while maintaining administrative separation and reducing administrative errors.
Cisco VNMC Architecture
Cisco VNMC architecture includes the following components:
•A centralized repository for managing security policies (security templates) and object configurations that allow managed devices to be stateless.
•A centralized resource management function that manages pools of devices that are commissioned and pools of devices that are available for commissioning. This function simplifies large scale deployments because:
–Devices can be preinstantiated and then configured on demand
–Devices can be allocated and deallocated dynamically across commissioned and noncommissioned pools
•A distributed management-plane function that uses an embedded management agent on each device that allows for a scalable management framework.
Cisco VNMC Security
The Cisco VNMC uses security profiles for tenant-centric template-based configuration of security policies. A security profile is a collection of security policies that are predefined and applied on an on-demand basis at the time of virtual machine (VM) instantiation. These profiles simplify authoring, deployment, and management of security policies in a dense multitenant environment, reduce administrative errors, and simplify audits.
Cisco VNMC API
An important component of the Cisco VNMC is the XML API, which allows you to coordinate with third-party provisioning tools for programmatic provisioning and management of Cisco VSGs. This feature allows you to simplify data center operational processes and reduce the cost of infrastructure management.
Cisco VNMC and VSM
The Cisco VNMC operates with the Cisco Nexus 1000V Virtual Supervisor Module (VSM) to achieve the following scenarios:
•Security administrators author and manage security profiles as well as manage Cisco VSG instances. Security profiles are referenced in Cisco Nexus 1000V port profiles via the Cisco VNMC interface.
•Network administrators author and manage port profiles as well as manage Cisco Nexus 1000V switches. Port profiles are referenced in vCenter via the Cisco Nexus 1000V VSM interface.
•Server administrators select the appropriate port profiles in the vCenter when instantiating a virtual machine.
System Requirements
System requirements for a Cisco VNMC are as follows:
•x86 Intel or AMD server with 64-bit processor listed in the VMware compatibility matrix
•Intel VT is enabled in the BIOS
•VMware ESX 4.0, 4.0 U1, 4.0 U2 or 4.1
•VMware vSphere Hypervisor
•VMware vCenter 4.0, 4.0 U1, 4.0 U2 or 4.1
•2-GB memory reserved for each Cisco VNMC installation
•Datastore with at least 25-GB disk space available on shared NFS/SAN storage when Cisco VNMC is deployed in an HA cluster
•Internet Explorer 7.0 or Mozilla Firefox 3.6.x on Windows
•Flash 10.0 or 10.1
Note If you are running Firefox or IE and do not have Flash, or you have a version of Flash that is older than 10.1, a message displays asking you to install Flash and provides a link to the Adobe website. The express install wizard appears.
Note You can find VMware compatibility guides at http://www.vmware.com/resources/compatibility/search.php
Information About High Availability
VMware high availability (HA) provides a base level of protection for a Cisco VNMC VM by restarting it on another host in the HA cluster. With VMware HA, data is protected through a shared storage. Cisco VNMC services can be restored in a few minutes. Transient data such as user sessions is not preserved in the service transfer. Existing users or service requests must be reauthenticated.
Requirements for supporting VMware HA in Cisco VNMC are as follows:
•At least two hosts per HA cluster
•VM and configuration files located on the shared storage and hosts are configured to access that shared storage
For additional details refer to the VMware HA and Fault Tolerance guide.